All Apps and Add-ons

Field extractions not creating fields at search time

twistedsixty4
Path Finder

So I've been working on a particularly complicated and convoluted set of log files that require a bit of regex work to be done. weve gotten the field extraction page to grab the right fields, and even test the rex on the data set, first head 10000 and then no head at all, and it works fine. however once we save the extractions we get nothing, no fields ever show up, ever if we tell it to show fields with no related records. any idea what we are missing here?

Edit:__
all extractions are in the search app, but are given global permissions.

We have restarted or Splunk server several times, a few of the extractions from our transforms file show up but that's it.

As for our formatting the field extractor builds them and we will click the test button and it works just fine in the testing window, but it's exactly when we save it that it just disappears.

We just updated to Splunk ver6 are we missing some configurations?

0 Karma
1 Solution

twistedsixty4
Path Finder

Because of how detailed the fields are I was using multiple words to name them and was inadvertently adding spaces to my field names causing them to not work after saving them. Thanks Kristian!

View solution in original post

bailmon
Explorer

Another possible solution (for someone else) is that the results selector right under the search (magnifying glass) is in 'Fast Mode'. This will turn off field discovery. If you want to get the most fields put it in 'Smart Mode' or 'Verbose Mode'

twistedsixty4
Path Finder

Because of how detailed the fields are I was using multiple words to name them and was inadvertently adding spaces to my field names causing them to not work after saving them. Thanks Kristian!

twistedsixty4
Path Finder

Wait a minute.. That makes me an idiot, ok editing my extractions now to kill all of those! Thanks for your help!

0 Karma

twistedsixty4
Path Finder

No hyphens in the field names, but some names do contain spaces.

0 Karma

kristian_kolb
Ultra Champion

Do you give the fields names with hyphens?

twistedsixty4
Path Finder

We have restarted or Splunk server several times, a few of the extractions from our transforms file show up but that's it.

As for our formatting the field extractor builds them and we will click the test button and it works just fine in the testing window, but it's exactly when we save it that it just disappears.

We just updated to Splunk ver6 are we missing some configurations?

0 Karma

kristian_kolb
Ultra Champion

You don't have any hyphens in the field names?

problem: my-new-field
will work: my_new_field
will work: myNewField

Post the configs also, so that you can get help with debugging. You should be aware that there will be slight differences in the regex, depending on whether you use it in a props.conf EXTRACT, or in a rex statement in the search query. (mainly to handle escaping)

/k

somesoni2
Revered Legend

Just try restarting splunk. I had it working so many times doing that.

0 Karma

twistedsixty4
Path Finder

yes they are, everything is inside the search app, and they all have global permissions.

0 Karma

linu1988
Champion

are they saved in the same app you are using?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...